Mar 30 05 04: 47p 



SVIPG 



408 971 46G0 



p. 5 



-2- 



TN THE CLAIMS 

(Currently Amended) A method for detecting modifications to risk 
assessment scanning caused by an intermediate device, comprising: 
initiating a risk assessment scan on a target from a remote source utilizing a 
network; 

determining whether the risk assessment scan on the target involves an 
intermediate device coupled between the target and the remote source; 
receiving results of the risk assessment scan from the target utilizing the 
network; and 

notifying an administrator if it is determined that the risk assessment scanon 
the target involves the intermediate device, wherein additional operations are 
carried out to improve a risk assessment on the target in view of the presence 
of the intermediate device coupled between the target and the remote source. 

2. (Original) The method as recited in claim 1 , wherein the intermediate device 
includes a router. 

3. (Original) The method as recited in claim \ , wherein a plurality of 
procedures are utilized to determine whether the risk assessment scan 
involves the intermediate device. 

4. (Original) The method as recited in claim 3, wherein at least one of the 
procedures includes determining a port list associated with the risk 
assessment scan. 

5. (Original) The method as recited in claim 4, wherein the at least one of the 
procedures further includes determining whether a value of a flag is different 
for communication attempts using at least two ports on the port list. 



(a) 
(b) 
(c) 
(d) 
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6. (Original) The method as recited in claim 5, wherein the flag includes an 
ip_ttl flag. 

7. (Original) The method as recited in claim 5, wherein the flag includes a 
tcp_win flag. 

8. (Original) The method as recited in claim 5, wherein the communications 
include connection attempts between the remote source and the target 
utilizing the network. 

9. (Original) The method as recited in claim 5, wherein the at least one of the 
procedures further includes indicating that the risk assessment scan involves 
the intermediate device if the value of the flag is different for the 
communication attempts using the at least two ports on the port list. 

10. (Original) The method as recited in claim 3, wherein at least one of the 
procedures includes transmitting a first request for content to the target 
utilizing the network, and transmitting a second request for a cached version 
of the content to the target utilizing the network. 

1 1 . (Original) The method as recited in claim 10, wherein the cached content is 
requested from the target utilizing a via tag. 

12. (Original) The method as recited in claim 10, wherein the at least one of the 
procedures further includes analyzing responses to the first and second 
requests. 

13. (Original) The method as recited in claim 12, wherein the at least one of the 
procedures further includes indicating that the risk assessment scan involves 
the intermediate device based on the analysis. 
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14. (Original) The method as recited in claim 13, wherein the at least one of the 
procedures further includes indicating that the risk assessment scan involves 
the intermediate device if the responses to the requests are different. 

1 5. (Original) The method as recited in claim 3, wherein at least one of the 
procedures includes transmitting a request without specifying a host header 
value. 

1 6. (Original) The method as recited in claim 1 5, wherein the at least one of the 
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